From 6f24c8ef462ea89ef3fb1a4d79e3cdc0554cb812 Mon Sep 17 00:00:00 2001 From: Mathias Beaulieu-Duncan Date: Fri, 13 Feb 2026 17:05:20 -0500 Subject: [PATCH] Replace cosign with buildx attestations for Docker Scout compliance Docker Scout requires buildx-style provenance+SBOM, not cosign attestations. Replace crane push with docker load + buildx build (--provenance=mode=max --sbom=true) for the installer image. Use buildx imagetools create for the release tag to preserve attestations. Remove cosign/syft from CI. Co-Authored-By: Claude Opus 4.6 --- .gitea/workflows/build.yaml | 11 ++--------- Makefile | 31 ++++++++----------------------- TECHNICAL.md | 2 -- 3 files changed, 10 insertions(+), 34 deletions(-) diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml index abf07fe..d745083 100644 --- a/.gitea/workflows/build.yaml +++ b/.gitea/workflows/build.yaml @@ -30,7 +30,7 @@ jobs: - name: Install build dependencies run: | - for pkg in make gnu-sed crane cosign syft; do + for pkg in make gnu-sed crane; do brew list --formula "$pkg" &>/dev/null || brew install "$pkg" done gmake --version | head -1 @@ -63,15 +63,8 @@ jobs: - name: Build installer and disk image run: gmake installer - - name: Attest installer image - env: - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - run: gmake attest COSIGN_KEY=<(echo "${{ secrets.COSIGN_PRIVATE_KEY }}") - - name: Tag release images - env: - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - run: gmake release TAG=${{ steps.version.outputs.tag }} COSIGN_KEY=<(echo "${{ secrets.COSIGN_PRIVATE_KEY }}") + run: gmake release TAG=${{ steps.version.outputs.tag }} - name: Compress disk image run: | diff --git a/Makefile b/Makefile index 157a7bb..55ca976 100644 --- a/Makefile +++ b/Makefile @@ -74,7 +74,6 @@ help: @echo " overlay — Build SBC overlay (U-Boot, firmware, DTBs)" @echo " installer — Build Talos installer image + raw disk image" @echo " release — Tag and push release images" - @echo " attest — Attach SBOM attestation to installer image" @echo " clean — Remove checkouts and build artifacts" @echo "" @echo "Variables:" @@ -180,7 +179,11 @@ installer: installer --arch arm64 \ --base-installer-image="$(INSTALLER_IMAGE):base-$(TALOS_TAG)" \ $(IMAGER_COMMON_FLAGS) && \ - crane push ./_out/installer-arm64.tar $(INSTALLER_IMAGE):$(TALOS_TAG) && \ + LOADED=$$(docker load -i ./_out/installer-arm64.tar | sed 's/Loaded image: //') && \ + printf "FROM $$LOADED\n" | docker buildx build \ + --platform linux/arm64 \ + $(ATTESTATION_ARGS) \ + -t $(INSTALLER_IMAGE):$(TALOS_TAG) --push - && \ docker \ run --rm -t -v ./_out:/out -v /dev:/dev --privileged \ $(IMAGER_IMAGE):$(TALOS_TAG) \ @@ -188,32 +191,14 @@ installer: --base-installer-image="$(INSTALLER_IMAGE):$(TALOS_TAG)" \ $(IMAGER_COMMON_FLAGS) -# -# Attestation — attach SBOM to crane-pushed images -# -COSIGN_KEY ?= cosign.key - -.PHONY: attest -attest: - syft $(INSTALLER_IMAGE):$(TALOS_TAG) \ - --platform linux/arm64 \ - -o spdx-json=_out/installer-sbom.spdx.json - cosign attest --predicate _out/installer-sbom.spdx.json \ - --type spdxjson \ - --key $(COSIGN_KEY) \ - $(INSTALLER_IMAGE):$(TALOS_TAG) - # # Release — tag images with the Git tag for stable references # .PHONY: release release: - crane copy $(INSTALLER_IMAGE):$(TALOS_TAG) \ - $(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG) - cosign attest --predicate _out/installer-sbom.spdx.json \ - --type spdxjson \ - --key $(COSIGN_KEY) \ - $(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG) + docker buildx imagetools create \ + -t $(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG) \ + $(INSTALLER_IMAGE):$(TALOS_TAG) # # Clean diff --git a/TECHNICAL.md b/TECHNICAL.md index 0c89f97..583b723 100644 --- a/TECHNICAL.md +++ b/TECHNICAL.md @@ -36,8 +36,6 @@ A weekly scheduled workflow checks for new Talos and RPi kernel releases and cre |--------|-------------| | `REGISTRY_USERNAME` | Docker Hub username (org-level) | | `REGISTRY_PASSWORD` | Docker Hub access token (org-level) | -| `COSIGN_PRIVATE_KEY` | PEM-encoded cosign signing key (org-level) | -| `COSIGN_PASSWORD` | Password for the cosign private key (org-level) | ## Runner Setup (Apple Silicon Mac Mini)